A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Monday, November 14, 2005

Allowing the HP Indigo Press to Phone Home

Clients that own the HP Indigo printing press are billed by Hewlett Packard on a per page basis. Maintenance costs and print costs are based on usage. To get this information up to HP so they can bill the client a software package runs several times a day and phones (or rather Internets) home how much the press has printed. This traffic occurs on a specific range of ports. Fortunately for me, HP provided good documentation on which ports their software requires.

Ports Required: 40000-40199 out and 6055 out.

Before beginning I started live logging on ISA and watched the packets get denied. I really didn't want to enable such a large grouping of ports so I watched to see what the software was actually trying to do. As it turns out the software sends a small packet of information over a large number of ports simultaneously.

We have a limitation in that the HP press can't join the domain and it won't authenticate. The HP tech set it up as a SecureNat client on the network, in a workgroup called workgroup. Being a SecureNat client really limits our ability to control access. Since the HP press isn't capable of telling us who it is, we'll have to allow these ports out for everyone. At least we don't have to allow access to any additional ports in to make this work.

Here's how I did it. Open ISA Management. Click on Firewall Policy. Click Create New Access Rule. Name the rule HP Indigo 40000-41999. Click Next. Choose Allow. Click Next. Leave This Rule Applies to Outbound Traffic and click the Ports button. Click on Limit Traffic to This range of Source Ports and enter 40000 in the From box and 40199 in the To box. Click OK. Click Next. Click the Add button, expand Networks and choose Internal. Click Close. Click Next. Leave this rule applies to All Users and click Next. Click Finish. Follow the same procedure to allow outbound traffic over port 6055.

Apply the rule and fire up live logging and have the press operator send data to HP. You should now see only successful packets in the log.

A while back I started brewing my own traditional english ale, I have really started getting into it and now actually sell beer to friends and family. I wanted to add that extra touch to my beer so I designed my own beer labels and had them printed by a british labels company who did a excellent job. It has made my beer bottles look really great!